SAML - Okta

KACE Cloud MDM subscribers can use Okta when setting up single sign-on (SSO).


Tip: To set up an identity provider protocol using SAML and Okta, open both KACE Cloud MDM and your Okta portal.

Step 1: In KACE Cloud MDM Portal:

To get started, copy the redirect URL to configure Okta as the identity provider.

Select SAML v2.0.

  1. Select the Settings tab in top navigation.
  2. Choose Single Sign-On in left navigation.
  3. Select the SAML v2.0.

Step 1a: Copy Redirect URL

This URI will be required in the Sign-On Settings step in Okta.

 


Step 2: In Okta Portal

Set up Okta as your SAML Identity Provider.

Step 2a: Create Bookmarks

1) To create a bookmark application to the KACE Cloud MDM Admin portal:

  1. Select Applications > Application in top navigation.
  2. Click Add Application.
  3. Click Create New App.
  4. In the list of categories, select Okta Test Applications, then Bookmark App.
  5. On the following page, click Add.

In the App Settings section, provide the following information:

Application Label KACE Cloud MDM Admin portal
URL https://yoursubdomain.kacecloud.com (where [yoursubdomain] is your KACE Cloud subdomain)
Request Integration Leave checkbox unchecked.
Application Visibility Leave both checkboxes unchecked.

Click Save to finish configuring this bookmark app.

Assign users and groups to the Okta bookmark application:

  1. In the Applications menu, click Assignments.
  2. Click the Assign dropdown to assign Okta users and groups.
  3. Click Save.

2) To create a new bookmark application to the KACE Cloud MDM Device Enrollment portal:

  1. Select Applications > Application in the top menu bar.
  2. Click Add Application.
  3. Click Create New App.
  4. In the list of categories, select Okta Test Applications, then click Bookmark App.
  5. On the following page, click Add.

In the General Settings section, provide the following information:

Application Label KACE Cloud MDM Admin portal
URL https://yoursubdomain.kacecloud.com (where [yoursubdomain] is your KACE Cloud subdomain)
Request Integration Leave checkbox unchecked.
Application Visibility Leave both checkboxes unchecked.

Click Save.

Assign users and groups to the Okta bookmark application:

  1. In the Applications menu, click Assignments.
  2. Click the Assign dropdown to assign Okta users and groups.
  3. Click Save.

 


Step 2b: Create Integration App

To create the new KACE Cloud MDM SSO Integration app:

  1. Select Applications > Application in the top menu bar.
  2. Click Add Application.
  3. Click Create New App.
    • This opens the Create SAML Integration Wizard.
  4. From the Platform dropdown, select Web.
  5. Select SAML 2.0.
  6. Click Create.

In the General Settings section, provide the following information:

App Name KACE Cloud MDM SSO Integration
App Visibility Check both App visibility options.

In the General Settings section, provide the following information:

Single Sign-On URL Paste the redirect URI copied from the KACE Cloud MDM SSO Wizard.
Requestable SSO URLs Leave blank.
Audience URI (SP Entity ID) Paste the redirect URI copied from the KACE Cloud MDM SSO Wizard, but delete "/broker/heliumsso/endpoint"
from the end of the URI.
Default RelayState Leave blank.
Name ID format "EmailAddress"
Application username Use default: "Okta username"
Update application username on Use default: "Create and update"

In the Attribute Statements section, add the following attribute entries:

Name Name Format Value
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname URI Reference user.firstName
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname URI Reference user.lastName
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress URI Reference user.email

Auto-Assign Users to KACE Cloud roles based on Okta group membership. (OPTIONAL)

By default: All Okta users assigned to this Okta application will be assigned the KACE Cloud device user role. Add this entry to the Group Attribute Statements section only if you want to assign the device user role to users of a single Okta group.

Name Name Format Filter Value
http://schemas.microsoft.com/ws/2008/06/identity/claims/group URI Reference Contains {Okta user group name}

By default: assigning the KACE Cloud device admin role to a user is done manually. Add this entry to the Group Attribute Statements section only if you want to automatically assign the device admin role to users of a single Okta group.

Name Name Format Filter Value
http://schemas.microsoft.com/ws/2008/06/identity/claims/groups URI Reference Contains {Okta user group name}

In the Feedback section:

  1. Select I'm an Okta customer adding an internal app.
  2. Leave all other values as Default.
  3. Click Finish.

 


Step 2c: Okta SSO Settings

To complete the Okta-side sign-on settings:

  • Right-click and copy the Identity Provider metadata link.
    • This link will be used to import the Okta SAML settings into KACE Cloud in the next step.

 


Step 3: KACE SSO Settings

To complete single sign-on settings using the SSO Wizard:

  1. Click Import from URL tab.
  2. Paste the identity provider metadata link into the field.
  3. Click Import.

Once imported, the majority of information will be populated in the main SSO configuration screen of KACE Cloud MDM.

Select the following values for the listed control:

NameID Policy Format - Value: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

 


Step 3a: Update SAML Settings

1. Enable the Validating Certificates text box: The certificates field is not visible until the 'Validate signatures of identity provider requests/responses' box is checked.

IMPORTANT: We highly recommend leaving the 'Validate signatures of identity provider requests/responses' box checked to ensure optimal security. The option should only be disabled for troubleshooting purposes.

Note: If the certificate value was included in the FederationMetadata.xml document constructed in Step 1, it should be displayed in the Validating Certificates text box–if not, you will need to manually paste in the appropriate value.

2. Click Save Settings at bottom of page.

 


Step 3b: User Attribute Mappings

User attribute mappings should be pre-populated in KACE Cloud MDM.

Note: User attribute mappings will pre-populate consistently for Azure AD, Okta, and AuthO; however, some providers may use different names for common attributes. When using a different identity provider, please confirm naming conventions for common attributes and add manually.

OPTIONAL: Assign User Role

By default, all Okta users assigned to the KACE Cloud MDM SSO Integration application will be assigned the Device User role in KACE Cloud. Also, by default, the KACE Cloud Device Admin role must be manually assigned to users.

To automatically assign a user role to a user based on that user's Okta group membership, select the Automatic: Define certain attributes to assign option for that role (for the Device User Role and/or Device Admin Role) and provide the following values in the fields provided:

Description A unique description for this group mapping.
Attribute Name http://schemas.microsoft.com/ws/2008/06/identity/claims/groups
Attribute Value The name of an existing Okta group with configured Okta SAML settings that will automatically assign user attributes to a specific KACE Cloud role.

 


Step 3c: Enable and Test Single Sign-On

At the top of the SSO Wizard page:

  1. Check 'Enable single sign-on'.
  2. Click Save Settings.

Warning: Before checking 'Immediately redirect to identity provider', it is important to test the success of single sign-on set-up.

To test single sign-on:

  1. Open a new incognito window or private browser to ensure login data is clear.
  2. Go to the KACE Cloud portal but do not log in.
  3. Follow the Single Sign-On workflow using the customizable button.

Note: In the example below, the 'Log in using your company credentials' button leads to the SSO workflow. The label on this button can be customized using the 'SSO Button Label' field at the top of the SSO Wizard.

You will be directed to an Okta login page. Log in using your identity provider credentials.

Single sign-on has been successfully set up if you are taken directly to the Users landing page in KACE Cloud MDM:




Step 4: Locate Bookmarks

Users should now be able to use the two bookmark apps in the Okta application library to access the KACE Cloud Admin portal and KACE Cloud Device Enrollment portal.

 


Troubleshooting

Problem Solution
Single Sign-On button not visible on KACE Cloud MDM portal. Confirm that Enable single sign-on is checked on the SSO Settings page.
Error message on KACE Cloud MDM portal.

The identity provider successfully validated the username and password, but KACE Cloud MDM did not accept the user. This may be because the user is not in the Azure AD group being assigned a device admin role.

To troubleshoot:

  • Confirm the identity provider group to which the user is assigned.
  • Confirm the identity provider was configured to include to include group information. Example: for Azure AD, confirm the app registration was configured to include "SecurityGroups".
  • Confirm that the identity provider group has had its role mapped correctly.
Single Sign-On misconfiguration or identity provider error

As part of SSO, most companies will redirect their users to their identity provider's sign-in page. In the case of a misconfiguration or identity provider error, a device admin can bypass SSO by adding ?nosso=1 to the end of their product portal URL to turn off redirection and go directly to the KACE Cloud MDM login screen. Example: https://yourcompany.kacecloud.com?nosso=1

An "invalidFederatedIdentityActionMessage" error message is displayed on KACE Cloud MDM portal. The identity provider used a certificate to sign the SAML request/responses which does not match one of the certificates listed in the "Validating certificates" field of the KACE Cloud single sign-on configuration. Ensure that the list of Validating Certificates matches the list of certificates currently being used by your identity provider. Enable the Refresh SAML validating certificates every day using the federation metadata document field to have KACE Cloud automatically keep the Validating Certificates field up to date by attempting to retrieve the most current signing certificate information from the URL provided in the Federation metadata document URL field each day.